GPG Identity Checking

The OTC bot has an implementation for checking a gpg-registered user's ownership of accounts on any site, following the GPG Identity Protocol. This page describes how to use the system.

Generic checking

To check someone's claimed identity via GPG Identity Protocol on any site, use the gpgext verify command. It takes a URL (generally would be the url of the user's profile on a target site), and an optional nick (nick of some registered OTC user - if omitted, uses your own nick), and verifies the gpg_identity protocol tag.

Note that for a generic site, it remains up to you to manually verify that (1) the site and username match the content of signed protocol message, and (2) that the GPG identity tag was posted in user-only accessible area of the site. See the verification section of the protocol specification for more detail.

The following example session checks that user account 'mndrix' on the bitcoin forums belongs to OTC user 'mndrix':

<user> gpgext verify http://www.bitcoin.org/smf/index.php?action=profile;u=2538 mndrix
<bot> Verified signature made with keyid CE52C98A48081991, belonging to OTC user mndrix,
for site bitcoind.org/smf and user mndrix. Note that you must still verify manually that
(1) the site and username match the content of signed message, and (2) that the GPG
identity tag was posted in user-only accessible area of the site.

Site-specific checking

The bot can also do site-specific checking, where it takes care of all the steps of verification. In order to do this, it needs to be familiar with the specific layout and structure of the target site, so only a limited number of sites have specific commands. Currently, the following commands are available: